[Solved] tls1.3 ciphersuites
Added by gabberhead about 5 years ago
i have updated raspian to openssl 1.1.1a and also lighttpd 1.4.53 to use it also with pihole to have https over tls1.3 instead tls1.2. before i had: ssl.cipher-list = "AES128+EECDH" in the external.conf file. when i was on the webif of pihole i had tls1.2 and eecdh and aes with 128 connection. now i have succesfull upgradet to tls1.3. when i am on the webif i have a tls1.3 conection with aes 256. but i would like to have 128 not 256. with tls1.2 i could switch between 256 and 128 but with tls i tried some cipher settings but i get always a tls1.3 connection with aes256. what i have to use with ssl.cipher-list = "********" to get tls1.3 with aes128 instead of aes256 with aes128. thanx for the answers in advance ;)
Replies (3)
RE: tls1.3 ciphersuites - Added by gstrauss about 5 years ago
What ciphers is your client sending?
If you're on a unix system, you can test with openssl s_client ... and select client ciphers
lighttpd.conf controls for mod_openssl include:ssl.cipher-listssl.honor-cipher-order (set by default when ssl.cipher-list is set)ssl.openssl.ssl-conf-cmd (very flexible, so this is what I would suggest you use to try to configuring your desired restrictions)
https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html
RE: tls1.3 ciphersuites - Added by gabberhead about 5 years ago
i tested some things and this is now my config. and this works as wanted:
$HTTP["host"] == "pi.hole" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
- Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/home/pi/pihole.pem"
ssl.openssl.ssl-conf-cmd = ("Ciphersuites" => "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")+("Curves" => "secp384r1")
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
- Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
with:
ssl.openssl.ssl-conf-cmd = ("Ciphersuites" => "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")
i get this output with:
openssl s_client -connect pi.hole:443 -tls1
CONNECTED
1996095488:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
openssl s_client -connect pi.hole:443 -tls1_1
CONNECTED
1995587584:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
openssl s_client -connect pi.hole:443 -tls1_2
CONNECTED
1996386304:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 210 bytes
Verification: OK
openssl s_client -connect pi.hole:443 -tls1_3
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
RE: [Solved] tls1.3 ciphersuites - Added by gstrauss about 5 years ago
Thank you for the detailed update. Hopefully others will find your examples useful, too. Cheers.